Next story in Security

The shadowy hackers behind the military-grade Stuxnet worm and
Duqu Trojan may have struck again, this time with a very
sophisticated information-stealing malware toolkit alternately
called Flame, Flamer or Skywiper.

However, this new bug may date back as 2007, making it older than
Stuxnet, and possibly indicating that there are other unknown
pieces of malware yet to be discovered.

"Skywiper is certainly the most sophisticated malware we
encountered during our practice," CrySyS analysts said in the
introduction to an extensive technical report on the malware
released today (May 28). "Arguably, it is the most complex
malware ever found."

The Russian security firm Kaspersky Lab said Flame/Skywiper has
apparently been deleting information from computers in the Middle
East, but that its main goal is to collect information and send
it across the Internet to command-and-control servers located in
several different countries.

"This malware is a platform which is capable of receiving and
installing various modules for different goals," said the MAHER
posting in what appeared to be hastily translated English. "At
the time of writing, none of the 43 tested [anti-virus programs]
could detect any of the malicious components."

(Many of the top anti-virus software makers, including McAfee,
Symantec, Sophos and Kaspersky, today updated their virus
definitions to include Flame/Skywiper.)

"The geography of the targets ... and also the complexity of the
threat leaves no doubt about it being a nation-state that
sponsored the research that went into it," Kaspersky Lab analyst Alexander Gostev
said in a blog posting today.

Like
Duqu and Stuxnet, Flame/Skywiper is extremely sophisticated;
Gostev said that it "might be the most sophisticated cyber weapon
yet unleashed. ... It pretty much redefines the notion of
cyberwar and cyberespionage."

That indicates that this new bug wasn't crafted by
Russian cyberthieves, who make their malware only as complex
as it needs to be to avoid common detection methods.

It's possible it could have been made by
Chinese military hackers, but their standard mode of
operation is to combine advanced malware with mundane
social-engineering attacks such as phishing emails.

The authors of Duqu and Stuxnet, two weaponized pieces of malware
that share a remarkable amount of code, are unknown, but the
general consensus that the United States and Israel created both
bugs.

Stuxnet targeted Iran's nuclear program, specifically the
uranium-refinement facility at Natanz, which fell behind in
production about the time Stuxnet was discovered. Duqu's
aims and methods are less specific, but it was clearly created by
the same team behind Stuxnet.

Flamer/Skywiper is more general-purpose than either Duqu or
Stuxnet, being essentially very sophisticated, multipurpose
spyware. It has about 20 different plug-ins that enable it to
be configured for specific targets, which results in an already
detectable number of variants of different sizes.

"Flame appears to be a project that ran in parallel with
Stuxnet/Duqu," wrote Gostev. "There are, however, some links
which could indicate that the creators of Flame had access to
technology used in the Stuxnet project."

"We cannot exclude the possibility that the attackers hired
multiple independent development teams for the same purpose, and
Skywiper and Duqu are two independent implementations developed
for the same requirement specifications," wrote the CrySys
analysts.

How it works

Gostev said Flamer/Skywiper is "a complete attack toolkit
designed for general cyber-espionage purposes," at once "a
backdoor, a
Trojan and ... has worm-like features."

Its original vector of infection is unclear, but once installed
on a Windows XP, Vista or 7 machine, it sniffs network traffic
(including Bluetooth and Wi-Fi activity), logs keystrokes, takes
screenshots and records audio through a computer's built-in
microphone.

"Information gathering from a large network of infected computers
was never crafted as carefully as in Skywiper," said the CrySys
report. "The malware is most likely capable to use all of the
computer's functionalities for its goals."

It avoids detection by posing as commons Windows files, such as
the ".ocx" files used for Microsoft's ActiveX software.

Flame/Skywiper is also remarkably big — a whopping 20 megabytes,
depending on configuration. Most pieces of malware are well under
one megabyte.

Gostev said it size is due partly because Flame/Skywiper contains
multiple libraries of data and a few databases, as well as the
optional plug-ins.

"It will probably take [a] year to fully understand the 20
megabytes of code of Flame," Gostev wrote.

Like Duqu, Flame/Skywiper was created using a programming
language not commonly used by malware creators. In Duqu's case,
it was Objective C, now mainly used to create software for Apple
hardware. In the case of the new malware, it's a Brazilian
programming language called Lua, most often used to create video
games such as "Angry Birds."

Like Duqu, it may date back to 2007; CrySyS's analysts searched
through their records and found that some of Flamer/Skywiper's
components were logged back then, but not linked to any malware
until now.

Kaspersky's analysts date the new bug to February or March of
2010, a few months before Stuxnet was first discovered, but note
that many false file-creation dates, such as 1992 and 1995, are
embedded in the code to throw researchers off the trail.

"Flame appears to be much, much more widespread than Duqu, with
probably thousands of victims worldwide," Gostev said. "The
targets are also of a much wider scope, including academia,
private companies, specific individuals and so on."

Only the tip of the iceberg?

The muddled timeline, the relatively ancient age of some of its
components and the variability of its configuration indicates
that Flame/Skywiper has been infecting computers for years, and
that other highly sophisticated pieces of malware may yet remain
to be discovered.

"Stuxnet, Duqu and Flame are all examples of cases where we — the
anti-virus industry — have failed," wrote F-Secure analyst Mikko Hypponen in a blog
posting today. "All of these cases were spreading undetected
for extended periods of time."